Documentation
¶
Overview ¶
Package sqltemplate rewrites a SQL template into a parameterized query.
A statement carries two kinds of variables:
{{name}} - rewritten into ordered bind placeholders ($1, $2, ...) whose
values are returned alongside the query. Identical values are
deduplicated to a single placeholder.
{{.name}} - substituted verbatim into the statement (for composing SQL
fragments such as a sub-query source).
For example, given the statement
select * from ({{.source}}) as s where name={{name}}::text and value={{value}}::text
and the parameters name="abc", value="123", source="select 1" the engine produces
select * from (select 1) as s where name=$1::text and value=$2::text
with bindings ["abc", "123"]. Bind values ({{name}}) are passed to the driver untouched — the $N placeholders make them injection-safe regardless of content.
Verbatim values ({{.name}}) are substituted directly into the SQL text, so they must be TRUSTED fragments (e.g. a controlled sub-query source). The strip of ;'" is only a backstop, not a defense against injection; never feed untrusted input through {{.name}} — use a {{name}} bind placeholder instead.
The package is pure and has no dependencies beyond the standard library: it performs only string and text/template work and never touches a database or driver.
Index ¶
Constants ¶
const ErrInvalidStatement errs.Const = "sqltemplate: invalid sql statement"
ErrInvalidStatement is returned when a statement cannot be parsed or rendered into a parameterized query.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Query ¶
type Query string
Query is a rendered statement whose binds are $1, $2, ... placeholders.